VU#123335: Multiple programming languages fail to escape arguments properly in Microsoft Windows

Command injection vulnerabilities have been identified in various programming languages when running on Windows, allowing attackers to execute arbitrary code disguised as command arguments. This occurs due to a lack of proper validation and escaping mechanisms for commands and arguments. The vulnerability affects applications that execute commands without specifying file extensions and can be exploited to execute arbitrary commands. Microsoft has documented concerns about command execution and escaping since 2011. The impact of this vulnerability depends on the implementation and can be mitigated by updating the runtime environment or manually escaping and neutralizing data. A security researcher has provided detailed information on specific languages affected and their status.